CVE-2026-2207
Information Disclosure Vulnerability in WeKan Activity Publication Handler
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2207 is an information disclosure vulnerability in the Wekan application versions up to 8.20. It occurs due to insufficient authorization filtering in the activity publication logic, specifically in the file server/publications/activities.js within the Activity Publication Handler component.
The vulnerability allows unauthorized users to access activity data linked to boards they should not have permission to view. This happens because the system did not properly check if the requesting user had visibility rights on linked boards before returning activity information.
The security fix involves adding strict visibility checks for boards and linked boards, ensuring only authenticated users with proper access rights can see the activity data. This prevents unauthorized information disclosure by restricting access to activities on boards that are not visible to the user.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive activity information from boards within the Wekan application that you do not have permission to access.
An attacker could remotely exploit this flaw without authentication to view confidential activity data, potentially exposing internal project details, user actions, or other sensitive information managed within Wekan.
While it does not affect data integrity or availability, the confidentiality breach could result in privacy violations, information leakage, and potential competitive or operational risks depending on the nature of the disclosed activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to activity data in Wekan due to insufficient authorization filtering in the activities publication logic. Detection would involve verifying if unauthorized users can access activity data from boards they should not have permission to view.
Since the issue is in the file server/publications/activities.js and relates to visibility checks on boards and linked boards, detection can include reviewing logs or monitoring API calls related to activity publications to identify if users without proper permissions are receiving activity data.
Specific commands are not provided in the available resources. However, general detection steps could include:
- Reviewing Wekan server logs for unusual access patterns to activity data.
- Using network monitoring tools to capture and analyze requests to the activities publication endpoint to check if unauthorized data is being returned.
- Testing access by attempting to query activity data from boards where the user should not have access, to verify if the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade Wekan to version 8.21 or later, which includes the patch that fixes this vulnerability.
The patch (commit ID 91a936e07d2976d4246dfe834281c3aaa87f9503) enforces proper user authentication and visibility checks on boards and linked boards, preventing unauthorized access to activity data.
Until the upgrade can be applied, consider restricting access to the affected publication endpoints and monitoring for suspicious activity to reduce the risk of exploitation.